Canon EOS 1300D / Rebel T6

Started by the12354, October 03, 2016, 11:51:34 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

critix

I run the sure_copy_from_contrib.sh script and it is ok now.
Canon 1300D, 500D, EOS M, EOS M2

cin

Quote from: critix on January 31, 2020, 08:27:15 AM
I ran the sure_copy_from_contrib.sh script and it is ok now.

It's ready to use on 1300D?
Canon 1300D

critix

ML is not running on 1300D yet.
Canon 1300D, 500D, EOS M, EOS M2

ROME

What else are we missing to keep the progress moving in the right direction?

Walter Schulz

Unicorn level: A person skilled with C, assembler and reverse engineering embedded devices (ARM architecture) with lots of free time at hand.

critix

Canon 1300D, 500D, EOS M, EOS M2



critix

is good:
Quote1. Corrects a PTP communications vulnerability.
2. Corrects a vulnerability related to firmware update.
Canon 1300D, 500D, EOS M, EOS M2

alawiggle

Quote from: critix on March 30, 2020, 07:18:26 PM
is good:

Are we still waiting on Alex? My understanding wa that we needed him to publish a .FIR file to set camera bootflag? That's the last I heard and why I haven't bothered with this thread in a year lol

critix

We still do not need the FIR file for bootflag.
We must first solve the problems for this device.
Read:
https://www.magiclantern.fm/forum/index.php?topic=17969.msg211084#msg211084
The new firmware only solves some problems, but does not mean we can run ML on the 1300D.
I would have liked to be able to run ML, but it still has not succeeded (at least I can't) to solve the problem reported in the link above.
Maybe @a1ex can make a little time and help us, we can overcome this hop.
The same problem is with 2000D, 3000D, 4000D ...
Canon 1300D, 500D, EOS M, EOS M2

heder

Quote from: a1ex on July 17, 2018, 01:53:44 PM
This one is hard to fix - branch instructions in ARM code cannot go "too far" (they are limited to +/- 32MB around the address of the branch instruction). Normally, the compiler takes care of this (e.g. by using long jumps or inserting veneers - intermediate jumps), but here we are patching existing binary code in the firmware, to jump to our code instead.

I couldn't find an easy fix for this one; while a long jump can be implemented, it may require patching 2 instructions for one function. It's doable though, and other cameras will benefit from this (60D, which has the same problem in some experimental branches, and maybe some newer models too).

On 1300D I'm afraid we can't just use the workaround for 60D (where we load ML at a different address in order to be able to patch things), so a proper fix will be required in order to get some useful debug logs.

Quote from: a1ex on January 28, 2019, 12:56:47 PM
I'll try, but the solution is not straightforward.

Previously covered in replies #120 and #239.

Edit: confirmed the dm-spy-experiments branch is not working, even with minimal logging options (dm_spy_extra* commented out).

Need to use a long jump for patching DebugMsg. It started to work - to some extent - with this:

        int err = patch_instruction(DebugMsg_addr, MEM(DebugMsg_addr), FAR_CALL_INSTR, "dm-spy: log all DebugMsg calls");
        err |= patch_instruction(DebugMsg_addr + 4, MEM(DebugMsg_addr + 4), &my_DebugMsg, "dm-spy: log all DebugMsg calls");


The semaphore error appears to come from beep() - somebody's calling that before beep_init. Disabled beeps, it went further.

When trying to save the log, it fails with:

[dm-spy] captured 128kB of messages
[NotifyBox] Pretty-printing... (128kB)
[     CtrlSrv:fe49c7fc ] (83:02) DlgShootOlc.c LOCAL_DIALOG_REFRESH
qemu: fatal: Trying to execute code outside RAM or ROM at 0x87274218


That was because I've patched two instructions from DebugMsg, to implement the long call, but when uninstalling the logging hook, I should have "unpatched" both instructions. Rookie mistake.

Now, the hard part - clean up the code and commit it :D

Still need to find a general solution for patching arbitrary functions in Canon code (i.e. to implement long jump support in the patch manager).

The firmware is located at the end, and ends at 0xFFFFFFFF

What happens if you try to jump over 0xFFFFFFFF (relative), do the address wrap into 0xxxxxxx ram ? (or do we get an exception, possibly yes ?)

But if we dont get an exception -  we could steal the first useable location in ram and make patch_instruction/gdb call this ram
function (using a single branch relative instruction). Then we could let this function analyze the lr and jump to the correct
location based on the lr value. This also requires that patch_instructions/gdb make a table of pc/lr's and where to jump to / jump back to
... some text here ..

alawiggle

Quote from: critix on March 31, 2020, 10:40:01 AM
We still do not need the FIR file for bootflag.
We must first solve the problems for this device.
Read:
https://www.magiclantern.fm/forum/index.php?topic=17969.msg211084#msg211084
The new firmware only solves some problems, but does not mean we can run ML on the 1300D.
I would have liked to be able to run ML, but it still has not succeeded (at least I can't) to solve the problem reported in the link above.
Maybe @a1ex can make a little time and help us, we can overcome this hop.
The same problem is with 2000D, 3000D, 4000D ...


You've told me before Alex was necessary to solve this - now he may not be, just that he's currently the only one here who has the known how to?

heder

Quote from: alawiggle on March 31, 2020, 05:54:40 PM

You've told me before Alex was necessary to solve this - now he may not be, just that he's currently the only one here who has the known how to?

Wise words from Walter Schulz

Quote from: Walter Schulz on February 12, 2020, 07:09:46 PM
Unicorn level: A person skilled with C, assembler and reverse engineering embedded devices (ARM architecture) with lots of free time at hand.

People with thsee skills (including myself) have wife, kids, boats, dogs, cats and a job and a lots of hobbies, amongst those one called ML. Guess the priority ..   :o
... some text here ..

alawiggle

Quote from: heder on March 31, 2020, 06:35:56 PM
Wise words from Walter Schulz

People with thsee skills (including myself) have wife, kids, boats, dogs, cats and a job and a lots of hobbies, amongst those one called ML. Guess the priority ..   :o

Yes, I understand and I get it - but I was told that, specifically, Alex was the *only* one that could move this particular project forward. Now it seems this may not be the case? I'm just trying to determine if this is doable by somebody other than him. I understood that he had some "key" or some sort to the Canon firmware that was needed.

heder

Quote from: alawiggle on April 06, 2020, 03:03:53 AM
Yes, I understand and I get it - but I was told that, specifically, Alex was the *only* one that could move this particular project forward. Now it seems this may not be the case? I'm just trying to determine if this is doable by somebody other than him. I understood that he had some "key" or some sort to the Canon firmware that was needed.

Hes not the only one, but there are only a few of us with the rigth skills and time. Ok, I will take a look later this month, and try to get qemu running with a modifed patch instruction. My Main focus is however 40d.

First issue is getting qemu to run then later the bootflag issue., But i cant solve the last as i dont own that camera.
... some text here ..

critix

If you can help us with modifying patch instruction so we can start in qemu. I have 1300D and I want to continue with this project.
Thank you.
Canon 1300D, 500D, EOS M, EOS M2

denizza

Hello, i am new on this forum, so tbh i dont anythink about ml, but i have 1300d and i want help with project

Walter Schulz


denizza


Walter Schulz

ATM: Yes.
But if you are able to invest several hundred hours of work into learning it: No.

Zi7ar21

Hello, I have a Canon EOS Rebel T6 / 1300D and am willing to help out. If I have to learn stuff before starting, can someone please give me some tips and a place to look? Neat!

Walter Schulz

Visit autoexec_bin Twitter account and the sticky tweet there. Use ROM dumper to get a ... well ... ROM dump.

denizza

can we brick camera with this?

Walter Schulz